Onion Spoofing: a Novel Technique for Observing Exit Node Traffic for Correlation Attacks

Metzman, Jonathan [Browse]
Senior thesis
38 pages


Feamster, Nick [Browse]
Princeton University. Department of Computer Science [Browse]
Class year
Summary note
Tor is a tool that is used by 2,000,000 users every day for anonymous internet activity like anonymous web browsing. But, Tor’s suitability for web browsing is not only a cause for its popularity it is also a cause of its biggest weakness. Because Tor is fast enough for web browsing, it is vulnerable to traffic correlation. Traffic correlation is an attack on anonymity where an attacker observing both ends of a victim’s Tor connection can determine that both of these ends are “correlated”, thus revealing who the victim is communicating with. This revelation makes the victim’s communication no longer anonymous. Past research has shown that Tor nodes, Autonomous Systems (AS), and Internet Exchange Points (IXPs) can perform correlation attacks. In this paper we introduce “Onion Spoofing” an attack that uses DNS spoofing to intercept and observe traffic sent out of Tor by exit nodes. We then describe our implementation of Onion Spoofing and how we used it to perform correlation attacks to deanonymize Tor users in experimental settings. After this description, we share measurements we took of the Tor Network. These show that 91% of Tor exits are vulnerable to Onion Spoofing. We also found that 31% of Tor connections at any given time vulnerable to Onion Spoofing by Google. After demonstrating that Onion Spoofing is a threat to anonymity, we suggest mitigations and make recommendations for future work to improve Onion Spoofing.

Supplementary Information